🔥 3-day streak
Microsoft Security Operations Analyst70 / 190
Question 70 of 190

A threat hunter in a retail company suspects that an attacker used a compromised OAuth token to access files stored in the organization's SharePoint Online sites. The hunter wants to build a single Advanced Hunting query in Microsoft Defender XDR that returns file download activities recorded against cloud apps such as SharePoint and OneDrive, including the source IP address and the acting user account. Which table should the hunter query?

Reviewed for accuracy · Report an issueNext question